KR20040019375A - System and method for managing network service access and enrollment - Google Patents

Abstract

A system and method are described for automatically exchanging network connections to a suitable network entity based on access rights held by a user of a wireless terminal. The exchange recognizes the certificate provided by the terminal and, if the certificate is found to have the appropriate access rights, designates a connection to the service provider hosting the targeted security service. If the certificate does not correspond to the service provider's required certificate, the exchange designates a connection to a registration module, in which case the user ultimately accesses the registration module for access to the targeted security service. You can try to obtain a suitable certificate from.

Description

System and method for managing network service access and enrollment}

Computer networking refers to a data communication system that is generally made up of a connection of two or more computing systems. Networking allows anyone with access to the network to share programs, data, network resources, database information, and to facilitate other functions such as e-mail and data backup. Because of the need for direct access to information, the search for more sophisticated networks and network applications has accelerated to deliver information simply and efficiently.

Because of its vast scope, the global web of interconnected computers and computer networks, referred to as the Internet, has proved to be a very valuable tool in meeting the need for information on demand. The Internet is being used as a business and personal tool to facilitate worldwide e-mail, remote data access, and academic research. In addition, the Internet's ability to deliver multimedia content has made the Internet an entertainment tool for playing games, delivering stream content such as video, audio and MP3, and the like.

In the past, hardware access to the Internet was required to achieve access to information available through the Internet. The Internet allows users to access information through any computer or terminal connected to the Internet, but due to the need for a hardware connection, the Internet has an undesirable physical limitation on accessing information, i.e., to move around. It has become a special obstacle for users who spend considerable time. As users become more dependent on information and services provided over the Internet, integration of the Internet and wireless domains is becoming increasingly important.

Wireless networks such as GSM, IS-136, IS-95, PDC, and the like have been used in a conventional manner in connection with mobile telephone communications. Such sophisticated wireless networks have enabled other telecommunications benefits by allowing mobile phone users to communicate with other mobile terminal users and with landline telephone systems. However, because of the mobility and convenience of mobile terminals, there still exists a need to integrate information networks such as intranets and the Internet.

Because of this need, efforts have been made to integrate wireless network platforms with intranets and other networks. One solution is the Wireless Application Protocol (WAP), which introduces the benefits of the Internet into the wireless community. WAP bridges the gap between the wired Internet paradigm and the wireless domain, allowing wireless terminal users to enjoy the benefits of the Internet through both platforms.

WAP is typically a set of protocols that describe the characteristics and functionality of both Internet standards and standards for wireless services. It is independent of the wireless network standard and is designed as an open standard. Motivation for WAP is primarily the result of physical and logical limitations of small wireless terminals such as limited keyboard and display, limited bandwidth, limited memory and processing power, and limited battery power. The markup language, referred to as Wireless Markup Language (WML), is a service designed to fit smaller, often mobile, handheld terminals with a fairly limited display area compared to desktop counterparts that HTML targets. Used to authorize. Another feature of WAP services is the availability of supporting more advanced functional tasks using WML scripts that are at least somewhat similar to the use of JavaScript in relation to the HyperText Markup Language (HTML). . Enhancements available through WML scripts include procedural logic and computation for WAP-based services.

Therefore, the WAP allows the desired information stored on the remote network to be delivered to the wireless terminal in the wireless network. For example, information available via the Internet can now be downloaded onto a mobile wireless terminal such as a mobile phone, personal digital assistant (PDA), laptop computer, wireless pager, and the like.

However, the ability to deliver information electronically, especially when communicated over the air (OTA), creates a variety of security issues. In order to maintain privacy and confidentiality in telecommunications and e-commerce, methods have been devised in the computer and telecommunications industry to provide secure connections. For example, in the Internet world, security is often provided through Transport Layer Security (TLS), which provides data between a Secure Sockets Layer (SSL) browser and a WWW server. The standard name for the industry standard protocol for safe exchange. In a wireless environment, such as a WAP environment, security is currently provided with the Wireless Transport Layer Security (WTLS) protocol, which is similar to TLS, but with differences primarily related to the low bandwidth requirements of current wireless communications. .

In order to provide the necessary security for a particular wireless application or transaction, several types of "certificates" are implemented. For example, an authentication certificate may be issued when the user is identified as an authorized user. An accredited certificate may be issued even if it is determined that the user has authority to access or modify certain information. The authorized certificate may also include non-repudiation information referring to the manner in which the user cannot later deny that the user has participated in the transaction.

In order for a user to access a particular security service, the user may need to obtain such a certificate through an appropriate registration process. If the user already holds such a certificate, for example via a local storage device on the mobile terminal, the user can access the security service. However, if the user does not yet have such a certificate, such certificate must be obtained before the user can access the desired security service.

Currently, when a user has a certificate suitable for achieving a desired communication or performing a desired transaction, the user accesses a desired service through a WAP session via a first gateway. If the user does not have the required certificate, the attempted connection will be denied, and the user must obtain OTA WAP settings indicating how to obtain the required certificate. The user must terminate the current WAP session, initiate a new WAP session, and then obtain registration information via the second gateway. If the user has received a certificate, the existing WAP settings must be communicated to the user via OTA, and the customer terminates the current WAP session and then resumes the WAP session for access to the desired service. It can be seen that this way of obtaining the required certificate requires multiple WAP sessions through multiple gateways, which is inefficient and complicated for the user.

Regardless of whether a user has already been authenticated and / or authorized for the use of a security service, it would be desirable to provide a more efficient and convenient way to access the security service. Thus, it would be desirable to avoid the aforementioned and other problems associated with conventional systems. The present invention provides a solution to the aforementioned and other disadvantages of the prior art, while providing additional advantages over the prior art.

The present invention relates generally to network communications systems and, more particularly, to systems and methods for managing access and registration of users to secure network services.

1 illustrates a representative embodiment of a networking environment in which the principles of the present invention may be applied.

2 is a diagram illustrating an example of a layering of a typical WAP reference model and WAP protocol.

3 shows an example of a handshake protocol used to establish a connection.

4 and 5 are block diagrams of an exemplary automatic authentication management system in accordance with the present invention.

6 is a block diagram illustrating one way in which a registration manager can be used in connection with the present invention.

7 and 8 are flowcharts illustrating an exemplary embodiment of a process for automatically assigning a network connection based on access rights held by a user of a wireless terminal.

The present invention relates to a system and method for automatically exchanging network connections to a suitable network entity based on access rights held by a user of a wireless terminal.

According to one embodiment of the present invention, there is provided a method for automatically assigning a network connection based on an access right held by a user of a wireless terminal. The method includes receiving from the wireless terminal a certificate having security information indicative of the access rights held by the user. It is determined whether the received certificate corresponds to a service provider's authorized certificate referring to access rights to the targeted service. If the received certificate corresponds to the authorized certificate of the service provider, the network connection is assigned to the targeted service; otherwise, the service provider if the received certificate does not correspond to the authorized certificate of the service provider The network connection is specified in a registration module for registration of a public certificate.

According to another embodiment of the present invention, a system for managing access and registration to security services available to a user via a wireless terminal is provided. The system includes a service module that allows a service provider to use the security service to a user of the wireless terminal. A registration manager is provided to achieve user registration with the security service. The system also includes an exchange connected to receive a security certificate used by the wireless terminal in establishing a connection. The exchange designates a connection to the service module or a connection to the registration manager according to a security certificate used to establish the connection.

According to another embodiment of the present invention, there is provided a system for managing a user's access and registration to security services available on a network, in which case the system comprises a wireless network. A plurality of wireless terminals may operate within the wireless network. Another network comprising a plurality of network computing systems includes a server computing system that hosts a security service targeted by at least one of the wireless terminals. At least one of the computing systems constituting the network computing system is a registration server used to achieve user registration with the security service. A gateway computing system is provided that is configured to bridging communication between the wireless network and the computing system network. A network switch is connected to receive a public certificate used by the wireless terminal in establishing a connection with the computing system network. The network exchange exchanges a connection to the server computing system or a connection to the registration server according to a public certificate used by the wireless terminal in establishing the connection.

The above detailed description of the invention is not intended to describe each illustrated embodiment or implementation of the invention, but rather the following description and drawings.

In the following description of the various embodiments, reference is made to the accompanying drawings which form a part hereof, and which show by way of illustration various embodiments in which the invention may be practiced. It is to be understood that other embodiments may be utilized and structural and functional modifications may be implemented without departing from the scope of the present invention.

The present invention relates to a system and method for automatically exchanging network connections to a suitable network entity based on access rights held by a user of a wireless terminal. Such an exchange recognizes the certificate provided by the wireless terminal and directs the connection to the service provider hosting the targeted security service if the certificate is found to have appropriate access rights. On the other hand, if the certificate does not correspond to the service provider's required certificate, the exchange specifies access to a registration module, in which case the user ultimately accesses the targeted security service. Attempt to obtain a suitable certificate from the module.

1 illustrates a representative embodiment of a networking environment in which the principles of the present invention may be applied. The invention described herein is largely described in terms of Wireless Application Protocol (WAP). However, it will be readily apparent to one skilled in the art upon reading the description provided herein, but the present invention may be equally applicable to other current or future wireless protocols that require some level of secure connection. Therefore, although the present invention has been described in connection with a WAP environment to assist in understanding the present invention, it should be appreciated that the present invention is not limited thereto.

In the exemplary conventional WAP environment shown in FIG. 1, the WAP terminal 100 is a wireless network 102, for example, a global system for mobile communication (GSM) network widely used in Europe and elsewhere. General Packet Radio Service (GPRS), a packet communication service based on the European Digital Mobile Phone GSM network standardized by the European Telecommunications Standards Institute (ETSI), High-Speed Circuit-Switched Data (HSCSD) Or in other types of second generation (2G), next generation GSM networks such as third generation (3G), or future networks. Some additional examples of such networks include Wideband Code Division Multiple Access (WCDMA), Enhanced Data Rates for Global Evolution (EDGE), CDMA2000, and cdmaOne. However, it is not limited to these. The invention is also applicable to other wireless networking technologies that are capable of integration with other networks such as the intranet and the Internet. Within the wireless network 102, the WAP terminal 100 may be in communication with another wireless device or terrestrial communication device having, for example, a base station (BS) 104.

The information request is a standardized logic for representing various resources, such as files and newsgroups, on the Internet where it is common to use the Wireless Session Protocol (WSP), which is essentially a binary version of HTTP. Address) from the wireless network 102 to the WAP gateway 106. Such URL 108 is the address of the request information available over network 110, such as a terrestrial communications network, including an intranet or the Internet. In terms of intranet / internet, the WAP gateway 106 sends the URL to a suitable destination, and further information about the WAP device via HTTP headers such as subscriber number of the WAP-acceptable mobile phone, its cell ID, location, etc. Can be provided. The WAP gateway 106 also converts the content sent to the WAP terminal 100 into a format that the WAP terminal 100 can understand, such as binary 'Wireless Markup Language (WML)'. .

More specifically, the URL 108 is transmitted from the WAP gateway 106 to a server computing system, such as an origin server 112, for example using HTTP. The request sent in the form of URL 108 is a request to the data server 112 to return the desired content. The data server 112 may return the requested content to the WAP gateway 106, and the requested content may ultimately be detected by the WAP terminal 100. In one embodiment, the requested content is provided to the HTML filter 114 by the origin server 112 in HTML form, the HTML filter 114 displaying textual HTML as indicated by line 116. Filter out graphics and other content to provide it. The origin server 112 may also provide textual HTML directly as indicated by line 118. In either case, the WAP gateway 106 receives the textual HTML content and textual HTML content as indicated by line 119 for processing and presentation at the WAP terminal 100. To binary WML.

The origin server 112 may alternatively be configured as an intranet or a local area network (LAN). The intranet 110 may be structurally configured to communicate directly with the WAP gateway, or alternatively, may support the Internet. In such a networking environment, the URL 108 is sent from the WAP gateway 106 to a local server (not shown), which may then retrieve information from the origin server 112. The present invention may be implemented in connection with any network capable of communicating with the WAP gateway 106, and may include various multi-node network architectures such as multipoint, star, loop, loop, mesh, etc. LAN) to the widespread 'global area network' (GAN), such as the Internet.

The WAP terminal 100 receives WML contents, and a microbrowser inherent in the terminal 100 adjusts a user interface. The WAE user agent 120 associated with the terminal 100 is an application environment that enables operators and service providers to efficiently build applications and services. The WAE 120 includes the microbrowser mentioned above.

Whenever an electronic transmission or exchange of data occurs, the security problem of such a transfer or exchange arises. Security can be extremely important to maintain privacy and confidentiality in communications and electronic commerce. To address security issues, approaches have been devised in the computer and telecommunications industry to provide secure access. For example, in the Internet world, security is often provided through Transport Layer Security (TLS), which provides data between a Secure Sockets Layer (SSL) browser and a WWW server. The standard name for the industry standard protocol for safe exchange.

The wireless environment provides a high degree of convenience, but also poses additional security risks and relationships based primarily on the accessibility of the transmission medium itself. Thus, facilitating a secure connection in wireless communication requires careful attention. In a WAP environment, security is currently provided in the Wireless Transport Layer Security (WTLS) protocol, which is similar to TLS, but with differences primarily related to the low bandwidth requirements of current wireless communications.

2 shows an example of layering of a typical WAP reference model 200 and WAP protocol. The top layer shown is the application layer 202, which is a Wireless Application Environment (WAE) layer for the WAP architecture. This layer establishes an interoperable environment in which operators and service providers can build applications and services to reach a variety of different wireless platforms. WAE layer 202 typically includes a microbrowser that provides a user interface for a mobile terminal user. The next layer shown is the session layer 204, which in the WAP environment is the Wireless Session Protocol (WSP) layer. The WSP layer provides an interface to the WAE layer 202, including connected and disconnected services. The transaction layer 206, or Wireless Transaction Protocol (WTP) layer, provides transaction services. The Transport or Wireless Datagram Protocol (WDP) layer 210 provides a consistent service to the upper layer protocols of the WAP and transparently communicates through one of the available lower bearer services 212. Other WAP applications may include different numbers of layers or hierarchy changes, and FIG. 2 provides one typical example of a WAP application.

This major transport protocol adds Wireless Transport Layer Security (WTLS), which adds optional cryptographic functionality to enable secure transactions. Although optional, the WTLS associated with the security layer 208 shown in FIG. 2 has proven to be an important aspect of wireless communication. WTLS is a security protocol that provides the main security element of WAP communication, and consequently provides a secure network connection session between the WAP terminal and the WAP gateway. As will be described in more detail below, WTLS provides a number of security features, including authentication, confidentiality, data integrity, and denial-of-service protection.

The WTLS security layer shown in FIG. 2 provides several levels of security. For example, WTLS Class 1 usually provides privacy and data integrity. As WTLS Class 2 provides privacy, data integrity, and WAP gateway authentication, a client can authenticate identification information of a gateway with which the client is communicating. High security is WTLS Class 3, which, together with WAP Client Authentication, incorporates the features of Class 2 above to provide mutual authentication between the WAP Gateway and the WAP Client.

The service provider may provide a security based service that implements security features provided by a wireless protocol such as WAP. For example, a WAP Public Key Infrastructure (WPKI) service is a WAP service, and the WAP service provides an application based on a public key infrastructure (PKI). This refers to the use and approach of keys in public key cryptosystems. Thus, WPKI provides a way to allow the trust relationships needed for server and client authentication.

A good example of a PKI-based service is a banking application that requires a high level of security. In PKI-based banking applications, the client is authenticated using an authentication certificate. As is known in the art, authentication generally refers to verification of identification information of a person or entity involved in communication. Digital certificates typically include using a certificate that can be verified by an accredited Certification Authority (CA).

In addition to authentication, a transaction authentication procedure may be necessary to enable the client to achieve the desired transaction. Authorization is the determination of a particular user's authority to access or modify certain information. Thus, even if the user's identification information is authenticated, there may still be a need for the user to have the appropriate rights to perform the desired transaction. For example, a user may be considered authenticated for a banking application, but such authenticated user may not be authorized to perform a particular banking transaction for a particular bank account. In addition, in connection with such authorization, non-repudiation may be involved, which means that the user cannot later deny that the user has participated in the transaction. The client is authorized using the non-repudiation / digitally signed certificate.

For a particular class of security, the client must have this public and non-repudiation / digital signature certificate to use the desired application. The certificate includes information such as the public key, the user's name, and the service provider's signature. In an exemplary system, the certificate is stored in a WAP terminal, such as a WAP (WAP Identity Module) or a Wireless Identity Module (WIM). The WIM stores information needed for the protocol to execute its security and authentication functions (e.g., public key) and can be used to execute related public key algorithms (e.g. RSA, EC-DH, EC-DSA, etc.). Can be. The WIM may be integrally provided with a Subscriber Identity Module (SIM) on a conventional smart card, which may in turn be used in a mobile terminal such as a wireless telephone.

When a mobile terminal user receives a WIM card, it is common for the certificate to be for a particular user or not for a user use of the desired security service. This configuration is necessary before the user can access the service. In other words, the user must register for the service. As will be described in more detail below, the Registration Manager module is used to facilitate such registration. This module verifies customer identification information and verifies that the user has the necessary information, such as the WIM's private key. If such verification is successful, the user receives an accredited and non-repudiation certificate for such a service.

More specifically, the customer / user may have installed a service certificate or installed on their own mobile terminal before being able to use a mobile service that relies on the Wireless Public Key Infrastructure (WPKI) for user authentication. You need a URL that represents a service certificate. The service certificate is a standard record containing the description of the service certificate owner, including the public key. The Registration Manager allows online delivery of such service certificates. The user receives the service certificate through the mobile terminal without actually having to physically collect the service certificate.

In order to establish a secure connection between the requesting client terminal and the targeted server, a series of communications is first established to establish a contact and to establish the manner in which these entities communicate. This can be accomplished in a variety of ways, one of which is the handshake protocol mentioned in the WAP Forum Wireless Application Communication Protocol Radio Transport Layer Security Specification (WAP WTLS). This specification, namely WAP-199-WTLS (Version 18, February 1000), is one of a set of specifications gained from the efforts of the WAP Forum, and is largely related to the Security Layer Protocol (WTLS). The parameters of the secure session are generated by the WTLS handshake protocol through a compromise of the security attributes of the desired secure session. In one embodiment of the present invention, at least a portion of the WTLS handshake protocol may be used to attempt to establish a secure connection, and the principles of the present invention may be applied in connection with the WTLS or similar handshake protocol.

3 shows an example of a handshake protocol used to establish a connection. The initiation message, shown as a client hello message 302 in FIG. 3, is initiated on the client side 300 of the communication exchange. This message 302 is the original message of the client 300 to the server 310. On server side 310, server hello message 312 is also generated. The exchange of the initiation message, i.e., client hello message 302 and server hello message 312, is used to match against the cryptographic key exchange algorithm and the exchange random value. If the server 312 does not respond to the server hello message 312 with the client hello message 302, an error will occur and the connection will not be established. Alternatively, the server 310 may select specific security information for use in establishing a secure connection, and if no acceptable choice is provided to the server 310, the server will handshake. Return the fault notification and terminate the connection. If the server 310 can find an acceptable set of algorithms, the server 310 dispatches a server hello message 312 to the client 300.

If the server hello message 312 is successfully sent to the client 300, the server sends a certificate message 314 if the certificate should be authenticated. This message provides an indication of a suitable certificate form. In addition, a server key exchange message 316 may be sent when needed, in which case the server does not have a certificate or the server's certificate is only for signing. Thus, in accordance with the key exchange method, the server key exchange message 316 may be associated with a result where the client is a pre-master secret (eg, a public key that encrypts a secret, and the client 300 is the pre-master secret). Parameters that enable the key exchange to complete, and so forth). The server 310 may request a certificate from the client 300, such as by sending a certificate request message 318. Associated with the certificate request message 318 is a list of names and forms of acceptable Certificate Authorities (CAs). The server 310 ultimately sends a completion message, such as a server hello execution completion message 320, and waits for a response from the client 300.

However, the client 300 may or may not have a suitable certificate for access to the service. As mentioned above, when a mobile terminal user receives a WIM card (or similar storage and function module), it is common for the certificate not to be configured for a particular user or for user use of the desired service. Thus, in the example of FIG. 3, the client 300 cannot supply a suitable certificate for access to the service. Conventional methods for handling this situation have involved a complex series of WAP sessions managed through multiple gateways.

On the other hand, the present invention simplifies the service registration process with automatic access to the appropriate entity, whether the appropriate entity is the desired service or registration manager. Such a system may be configured to notify the client terminal of the desired sequence of authorized certificate usage, and to automatically exchange access to a security service or registration manager in accordance with the specific authorized certificate held by the client terminal. In this way, the connection avoids segmented access schemes implemented in the prior art solutions and avoids association with multiple gateways. In addition, the automatic service registration exchange provided by the present invention provides the user with a seamless function through an automatic and intelligent process that is transparent to the user.

Referring now to FIG. 4, there is provided a block diagram of an exemplary automatic authentication management system 400 in accordance with the present invention. In this example, the user of the wireless terminal 402 has established a WTLS Class 3 connection. The terminal 402 may be a plurality of terminals, such as a mobile phone 404, a personal digital assistant (PDA) 406, a laptop or laptop computer 408, or other type of terminal represented by the terminal 410. It can represent any one of the mobile communication terminal. As mentioned above, the WTLS Class 3 connection uses a public certificate. WTLS Class 3 connections are secure and involve user and server authentication.

The signed public certificate 412 provided by the service provider of the WPKI service 414 is provided to the WAP gateway 416 and the SIGNET exchange 418. These certificates 412 may be provided as a list of authorized certificates in a preferred order. For example, a typical preferred order is

1. Certificate of Service Provider

2. WIM card manufacturer's certificate

3. It may be an order of certificates from another WIM card manufacturer. According to the present invention, the SIGNET exchange 418 can establish this connection using the first certificate available at the terminal 402 in the order defined by the list of authorized certificates 412. Specifies a connection to). For the exemplary preferred sequence mentioned above, the SIGNET exchange specifies in this manner the connection to the terminal 402 to establish a connection using the certificate that the service provider signed (ie, the service provider's certificate). For example, by examining the WIM or other storage module in the terminal 402, it may be determined whether the terminal 402 holds such an authorized certificate.

If the user has not yet obtained a service provider's certificate, or otherwise has not obtained a service provider's certificate, the user registers for the use of a service provided by such service provider (eg, WPKI service 414). It doesn't work. In this case, in the above-mentioned example, which indicated that the service provider was "trusted", the connection is made using the next available accredited certificate 412, which is the certificate of the WIM manufacturer. This does not allow user access to the WPKI service 414, but rather allows the connection to be established based on a trusted secondary authorized certificate. If a connection based on the WIM manufacturer's certificate is successfully established, the SIGNET exchange 418 does not establish that the connection is established with a service provider's certificate, but rather a trusted secondary authorized certificate (ie, the WIM card manufacturer's certificate). Certificate has been established.

The SIGNET exchange 418 identifies which public certificate was used to establish the connection and assigns access to the appropriate application for the user. If the connection is established using the service provider's certificate, this indicates that the terminal 402 holds the certificate of the appropriate service provider, and the SIGNET exchange 418 provides the user with a service, in this example (generally Specifies access to the service indicated by the WPKI service 414 (which indicates that it is any security service). Alternatively, if a connection is established using the trusted certificate of the trusted WIM card manufacturer, the SIGNET exchange 418 assigns the user access to an entity that allows registration for the desired service to be achieved. In the illustrated embodiment, this entity is the registration manager 420. In one embodiment of the present invention, registration manager 420 is used to register a user with a desired service 414. The registration manager 420 verifies the subscriber / user identification information and determines whether the user has a private key in the WIM (or other similar identification module). The registration manager 420 may cooperate with the certification authority 422 to make the necessary decisions. If such a check is established that the user has the appropriate security and identification information, the registration manager 420 issues a suitable public certificate from a trust relationship with the user for that particular server 414.

5 is a block diagram showing another automatic management system 500 according to an embodiment of the present invention. As mentioned in connection with FIG. 4, the user of the wireless terminal 502 has established WTLS Class 3 in this example. The public certificate provided by the service provider of the WPKI service 504 is provided to the terminal 502 by the SIGNET exchange 506. The exchange 506 includes a public certificate identification module 508, which provides a preferred public certificate sequence to the terminal 502 via a gateway 510. According to one embodiment of the invention, the public certificate is stored in memory and may be dispatched by the public certificate identification module 508 via a certificate request message, such as the certificate request message 318 of FIG. Associated with this certificate request message is a list of names and forms of authorized certificates of the service providers, as well as the accredited certificates of the trusted authorities mentioned in the preferred order. In one embodiment of the invention, the service provider's certificate is referred to as the highest grade certificate.

The terminal 502 returns a client certificate indicated by a public certificate corresponding to the highest grade certificate held in the terminal 502. If the terminal 502 has a public certificate of the service provider, the terminal 502 uses that public certificate in response to the client. This public certificate, returned from the terminal 502 and shown by line 512, is compared to the public provider's public certificate in comparison module 514. In this example, the comparison module 514 assigns the user access to the WPKI service 504 by detecting that the client certificate used corresponds to a service provider's public certificate (SP CERT).

Alternatively, if the terminal 502 does not have an authorized certificate of the service provider, the terminal 502 may be of the highest grade held by the terminal 502, such as a certificate of the WIM card manufacturer. Return the certificate. In this case, the comparison module 514 determines that the returned certificate does not correspond to the service provider's authorized certificate (NOT SP CERT), and assigns the user access to the registration manager, so that the user can register for the service. have.

Functions associated with the SIGNET exchange 506, such as the comparison and routing functions, may be implemented in software or in hardware used in connection with processing modules. In the example of hardware, the comparator may determine whether the public certificate used by the user to establish a connection requires a connection to the registration manager 516 or the service 504. The connection may be assigned to a suitable entity using the results of comparison module 514 to indicate which path the connection should take. For example, an implementation of hardware may use the results of comparator module 514 to control the exchange or multiplexing module to assign access to the appropriate entity to the user. Various software implementations may also be used. In one particular embodiment, a Java servlet running on a WAP gateway may be used to incorporate the functionality of the exchange 506 into the WAP gateway 510 by implementing the functionality of the SIGNET exchange 506. . As is known in the art, Java ^TM is a general purpose, object oriented language and is a " write once, run anywhere " programming language that facilitates the execution environment. Servlets are pieces of Java native code that add functionality to a web server in a similar way to applets add functionality to the browser. Java servlets are known to those skilled in the art.

The comparing module 514 may be configured to compare the public certificate used by the terminal to establish the connection with the public certificate of the service provider. In such an implementation, if a match is found, the user is assigned access to the server 504. If no match is found, this indicates that the connection is established with any other public certificate (such as a WIM manufacturer's certificate), but in either case, no public certificate of the service provider is established. In another embodiment, the comparison module 514 may compare each of the public certificates 508 in the ordered list of preferred certificates to the public certificates used to establish the connection. In this situation, a multiple comparison function is performed in the comparison module 514, where the comparison module 514 subsequently states that if such a comparison function exists, a result match of any of the comparisons was made. Output the display. Other comparison schemes can also be used in accordance with the present invention. In any case, the result of the determination of the particular public certificate used to establish the connection is used to refer to a suitable way to assign to the user.

The exchange 506 and the gateway 510 are illustrated as separate modules, but this is understood because the exchange 506 may be different from the WAP gateway 510 and may be integrated with the WAP gateway 510. It should be recognized that it is intended to help.

Thus, the SIGNET exchange 506 instructs the user to establish the connection with the first matching public certificate found at the terminal 502 against a list of ordered public certificates. If the user does not receive a service provider's certificate, the connection is made with a trusted public certificate, such as the WIM manufacturer's public certificate. When the connection is established, the SIGNET exchange 506 determines which public certificate was used and assigns the user access to the appropriate application.

If the user does not receive a service provider's certificate, the SIGNET switch 506 automatically assigns the user access to the registration manager 516. This allows the user to register for the desired service. 6 is a block diagram illustrating one way in which a registration manager can be used in connection with the present invention. The registration manager 600 receives the public certificate 602 used by the user in establishing the connection. As is known in the art, such certificates include information to support authentication, such as certificate verification, issuer name and identification information, certificate serial number, signature algorithm, version number, and the like. The registration manager 600 uses this information obtained through the automatic routing mechanism provided by the SIGNET exchange. The registration manager 600 may, as mentioned in connection with FIG. 4, identify specific information for determining whether the user has a suitable private key to verify the user's identification information and achieve access to the desired service. Perform the functions of

The registration manager 600 is cooperative with the certification authority 606. The certification authority (CA) 606 is an entity that issues, renews, and revokes a certificate with a public key in response to an authenticated request from a legitimate registrar. More specifically, CA 606 is a service that can generate data by placing data in a predetermined format and then digitally signing such data. CAs act as trusted third parties to introduce clients that they know not directly from each other. The CA certificate may be signed by the certificate authority itself, or by some other CA, such as a top-level certificate authority ("root" CA). Certificate authority 606 holds a private key that is used to sign a certificate with a domain member key. The registration manager 600, assisted by the certification authority 606, determines whether the user has the appropriate private key or other necessary information, and if the user has the appropriate private key or other necessary information, the registration. The manager 600 registers a user with a desired service. The resulting certificate 608, such as an authorized and non-repudiation certificate for the desired service, is provided to the user. Other certificates may also be returned to the user if the resulting certificate is configured to be provided to the user, such as an authorized and non-repudiation certificate for the service.

7 is a flowchart illustrating a representative embodiment of a process for automatically assigning a network connection based on determinable access rights held by a user of a wireless terminal. Access to the service may be obtained from a security certificate, such as a public certificate provided by the wireless terminal. The public certificate is received from the wireless terminal (700), and it is determined whether the received certificate corresponds to the public certificate authorized by the service provider (702). If the received certificate corresponds to a public certificate accredited by the service provider, the connection is exchanged with the server of the service provider hosting the secure service (704). The user can then access the security service via the wireless terminal (706).

If the received certificate does not correspond to a public certificate accredited by the service provider, the connection is exchanged with a registration manager (708), in which case the user is registered with the security service (710). If the registration is not successful, the user is prohibited from accessing the security service, as shown in block 714. If the registration is successful, as determined at decision block 712, the service provider's authorized certificate (s) is passed to the user (716) and the session can be terminated (718). If the current user has an authorized certificate of the service provider, the user can establish a connection for access to the service through the wireless terminal, in which case follow the flow of blocks 700, 702, 704, 706.

8 is a flow diagram illustrating another exemplary embodiment of a process for automatically assigning a network connection based on access rights held by a user of a wireless terminal. In this embodiment, the wireless terminal customer contacts the WPKI service (800) and establishes a WTLS connection (802). It is determined whether the customer has a suitable public certificate for the WPKI service (804). If the customer has a suitable public certificate for the WPKI service, the service is accessed by the user (810). If the customer does not have a suitable public certificate for the WPKI service, the connection is redirected to the registration manager to obtain the public certificate (806). If the public certificate is obtained, the WAP session may be terminated (808). At this point, the user can access the service by establishing a connection using the service provider's authorized certificate, as shown by the dashed line returning to block 800 if necessary.

It is to be appreciated that the above-mentioned embodiments are representative examples of the various automatic access and registration principles described herein, and that the present invention is not limited to such illustrated embodiments.

Using the aforementioned specifications, the present invention can be implemented as a machine, process, or article of manufacture using standard programming and / or engineering techniques to produce programming software, firmware, hardware, or any combination thereof.

The resulting program (s) having computer readable program code may be included in one or more computer usable media, such as a memory device or a transmission device, to implement a computer program product or article of manufacture according to the present invention. For this reason, the "article of manufacture" and "computer program product" as used herein are (permanently, provisionally, or temporarily) on any computer usable medium, such as in any memory device or any transmission device. It is intended to include existing computer programs.

Execute the program code directly from one medium, store the program code on one medium, copy the code from one medium to another, transfer the code using a transmission device, or other equivalent action May include the use of a memory or transmission device that temporarily contains only program code as a preliminary or final step in the manufacture, use, or sale of the invention.

Memory devices include, but are not limited to, hard disk drives, diskettes, optical disks, magnetic tape, RAM, ROM, PROM, and the like. Transmission devices include, but are not limited to, the Internet, intranets, telephone / modem-based network communications, hard wire / cable communications networks, cellular communications, radio communications, satellite communications, and other fixed or mobile communications network system / communication links. Do not.

A machine embodying the present invention may be one or more including a CPU, memory / storage device, communication link, communication / transmission device, server, I / O device, or software, firmware, hardware, or any combination or partial combination thereof. It may include one or more processing systems, including but not limited to any accessory or individual parts of the processing system, which embodies the invention as described in the claims.

From the description provided herein, those skilled in the art will appreciate that a general purpose suitable for manufacturing computer systems and / or computer accessory parts embodying the present invention, and for manufacturing computer systems and / or computer accessory parts for carrying out the method of the present invention. Or software that is manufactured as described with dedicated computer hardware.

Of course, it will be understood that various modifications and additions may be made to the above-described various forms of embodiments without departing from the scope or spirit of the invention. Therefore, the scope of the present invention should not be limited by the specific embodiments mentioned above, but should be defined only by the claims and equivalents described below.

Claims (33)

A method for automatically assigning a network connection based on an access right held by a user of a wireless terminal, Receiving from the wireless terminal a certificate having security information indicating access rights held by the user; Determining whether the received certificate corresponds to an authorized certificate of a service provider that refers to access to a targeted service; Designating a network connection to the targeted service if the received certificate corresponds to an authorized certificate of the service provider; And If the received certificate does not correspond to the authorized certificate of the service provider, designating a network connection to a registration module for registration of the authorized certificate of the service provider. 2. The method of claim 1, further comprising providing the wireless terminal with a list of one or more available predetermined certificates. 3. The method of claim 2, further comprising providing the wireless terminal with a list of available predetermined certificates in a predetermined order that can be selected at the wireless terminal. 4. The method of claim 3, further comprising the step of selecting at the wireless terminal a locally stored certificate that corresponds to a top predetermined certificate that matches a locally stored certificate. 5. The method of claim 4, further comprising establishing the network connection using the selected locally stored certificate, wherein the selected certificate is a certificate received from a wireless terminal having security information representing access rights held by a user. The automatic designation method of network connection, characterized by the above-mentioned. 4. The method of claim 3, further comprising the step of enabling the wireless terminal to establish the network connection using a locally stored certificate that corresponds to a predetermined certificate that is at the top in a predetermined order that matches the locally stored certificate. An automatic designation method of a network connection, comprising. The method of claim 1, wherein the step of receiving a certificate comprises the step of receiving the certificate through a client certificate message issued by the wireless terminal. The method of claim 1, further comprising registering a user with the targeted service through the registration module when the network connection is assigned to the registration module. 9. The method of claim 8, further comprising the step of providing the wireless terminal with an authorized certificate of the service provider again in response to user registration with the targeted service. The method of claim 1, wherein the access rights held by the user are stored as a local certificate on a Wireless Identity Module (WIM). 2. The method of claim 1, further comprising the wireless terminal supplying the wireless terminal with a list of available public certificates that can be used to establish the connection. 12. The method of claim 11, further comprising the step of supplying the wireless terminal with a list of available public certificates available in priority order that the wireless terminal should use the highest public certificates held by the wireless terminal in establishing the connection. Automatic designation method of network connection characterized by. The method of claim 12, wherein the first public certificate is a public certificate of a service provider. 12. The network of claim 11, wherein determining whether the received certificate corresponds to a service provider's public certificate comprises comparing the received certificate to a list of available public certificates. How to automatically assign a connection. 2. The network connection of claim 1, wherein determining whether the received certificate corresponds to a service provider's public certificate comprises comparing the received certificate to the service provider's public certificate. Method of automatic assignment. A system for managing access to and registration of security services available to a user via a wireless terminal, A service module for allowing a service provider to use the security service for a user of the wireless terminal; A registration manager for achieving user registration with the security service; And An exchange module connected to receive a security certificate used by the wireless terminal in establishing a connection, the exchange module including a switch module for designating a connection to the service module or the registration manager according to the security certificate used for establishing the connection Access and registration management system for the security service, characterized in that. 17. The system of claim 16, wherein the exchange module determines whether a security certificate is used to establish the connection and specifies a connection to the service module or the registration manager according to the security certificate used. Access and registration management system for security services. 18. The system of claim 17, wherein the security certificate is digitally signed by the service provider, indicating that a user is registered with the service provider for use of the security service, thereby designating access to the service module. Access and registration management system for the security service, characterized in that. 18. The access to the registration manager of claim 17 wherein the security certificate is not digitally signed by the service provider, indicating that the user is not registered with the service provider for use of the security service. Designating access and registration management system for the security service. 18. The system of claim 17, wherein the security certificate indicates that a user can obtain a registration through the trust authority by digitally signing by a trust authority trusted by the service provider to designate access to the registration manager. Access and registration management system for the security service, characterized in that. 17. The system of claim 16, wherein the security certificate comprises a public certificate. 22. The system of claim 21, wherein the authorized certificate includes at least one of an identification verification certificate, an authorization certificate, and a non-repudiation certificate. 18. The system of claim 16, wherein the exchange module includes a list of potential authorized certificates in a preferred order of use, wherein the exchange module uses the highest priority certificates in the order of priority use to access the wireless terminal. And providing the wireless terminal with a list of potential authorized certificates to enable the establishment of a certificate management system. 24. The system of claim 23, wherein the exchange includes a comparison module for comparing at least one of the predetermined public certificates to the public certificate used by the wireless terminal. . The method of claim 24, (a) the comparing module compares the public certificate of the service provider with the public certificate used by the wireless terminal in establishing the connection; (b) if a match is found, the exchange module assigns a user access to the service module to use the security service; And (c) if a match is not found, the exchange module assigns a user access to the registration manager to achieve user registration with the security service. The method of claim 24, (a) the comparing module compares each of the predetermined public certificates to a public certificate used by the wireless terminal; And (b) the exchange assigns a user access to the service module or the registration manager according to a result of the comparison. 17. The access and registration of a security service as recited in claim 16, wherein said registration manager is configured to issue a public certificate upon successful registration, including a public certificate of a service provider necessary for use with said security service. Management system. A system for managing a user's access and registration to security services available on a network, A wireless network capable of operating a plurality of wireless terminals therein; A computing system network, comprising: a registration server, wherein at least one computing system includes a server computing system that hosts a security service targeted by at least one of the wireless terminals, and further achieves user registration with the security service. A computing system network comprising a; A gateway computing system configured to bridging communication between the wireless network and the computing system network; And A network switch connected to receive a public certificate used by a wireless terminal in establishing a connection with said computing system network, said server computing system or in accordance with a public certificate used by said wireless terminal in establishing said connection; or And a network switch for exchanging access to the registration server. 29. The WAP-compliant terminal of claim 28, wherein the gateway computing system comprises a Wireless Application Protocol (WAP) gateway, wherein at least a wireless terminal establishing a connection with the computing system network is a WAP-compliant terminal. User access and registration management system for a security service comprising a. 30. The system of claim 29, wherein the WAP-compliant terminal comprises one of a wireless telephone, a personal digital assistant, a wireless pager, and a wireless laptop computer. 29. A user's access to a security service according to claim 28, wherein said computing system network comprises the Internet, and a Wireless Application Protocol (WAP) is used for communication between said wireless terminal and said Internet. And registration management system. A system for automatically routing a network connection based on access rights held by a user of a wireless terminal, Means for receiving from the wireless terminal a certificate having security information indicative of access rights held by the user; Means for determining whether the received certificate corresponds to an authorized certificate of a service provider that refers to access to a targeted service; And If the received certificate corresponds to a public certificate of the service provider, designates a network connection to the targeted service; if the received certificate does not correspond to a public certificate of the service provider, the public certificate of the service provider Means for designating a network connection to a registration module for registration. A computer readable program storage medium tangibly comprising an instruction program executable by a computing system to manage a user's access and registration to a secure network service, the instruction program comprising: Receiving a certificate from the wireless terminal, the certificate having security information indicative of the access rights held by the user; Determining whether the received certificate corresponds to an authorized certificate of a service provider that refers to access to a targeted service; If the received certificate corresponds to an authorized certificate of the service provider, designating a network connection to the targeted service; And And if the received certificate does not correspond to an authorized certificate of the service provider, designating a network connection to a registration manager for registration of the authorized certificate of the service provider.